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Abstract 


This document describes the encryption algorithm Rabbit. It isa 
stream cipher algorithm with a 128-bit key and 64-bit initialization 
vector (IV). The method was published in 2003 and has been subject 
to public security and performance revision. Its high performance 
makes it particularly suited for the use with Internet protocols 
where large amounts of data have to be processed. 
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Introduction 


Rabbit is a stream cipher algorithm that has been designed for high 
performance in software implementations. Both key setup and 
encryption are very fast, making the algorithm particularly suited 
for all applications where large amounts of data or large numbers of 
data packages have to be encrypted. Examples include, but are not 
limited to, server-side encryption, multimedia encryption, hard-disk 
encryption, and encryption on limited-resource devices. 


The cipher is based on ideas derived from the behavior of certain 
chaotic maps. These maps have been carefully discretized, resulting 
in a compact stream cipher. Rabbit has been openly published in 2003 
[1] and has not displayed any weaknesses as of the time of this 
writing. To ensure ongoing security evaluation, it was also 
submitted to the ECRYPT eSTREAM project[2]. 


Technically, Rabbit consists of a pseudorandom bitstream generator 
that takes a 128-bit key and a 64-bit initialization vector (IV) as 
input and generates a stream of 128-bit blocks. Encryption is 
performed by combining this output with the message, using the 
exclusive-OR operation. Decryption is performed in exactly the same 
way as encryption. 


Further information about Rabbit, including reference implementation, 
test vectors, performance figures, and security white papers, is 
available from http://www.cryptico.com/. 

Algorithm Description 


1. Notation 


This document uses the following elementary operators: 


+ integer addition. 

^ integer multiplication. 
div integer division. 
mod integer modulus. 

X bitwise exclusive-OR operation. 
<<< left rotation operator. 


| | concatenation operator. 


When labeling bits of a variable, A, the least significant bit is 
denoted by A[0]. The notation A[h..g] represents bits h through g of 
variable A, where h is more significant than g. Similar variables 
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are labeled by A0,A1,... with the notation A(0),A(1),... being used 
to denote those same variables if this improves readability. 


Given a 64-bit word, the function MSW extracts the most significant 
32 bits, whereas the function LSW extracts the least significant 32 
bits. 


Constants prefixed with 0x are in hexadecimal notation. In 
particular, the constant WORDSIZE is defined to be 0x100000000. 


2.2. Inner State 


The internal state of the stream cipher consists of 513 bits. 512 
bits are divided between eight 32-bit state variables, X0,...,X7 and 
eight 32-bit counter variables, CO,...,C7. In addition, there is one 
counter carry bit, b. 


2.3. Key Setup Scheme 


The counter carry bit b is initialized to zero. The state and 
counter words are derived from the key K[127..0]. 


The key is divided into subkeys KO = K[15..0], Ki = K[31..16], ... K7 
= K[127..112]. The initial state is initialized as follows: 


for j=0 to 7: 
if j is even: 
Xj = K(j+1 mod 8) | Kj 


Cj = K(3+4 mod 8) K(3+5 mod 8) 
else: 

Xj = K(3+5 mod 8) || K(j+4 mod 8) 

Cj = Kj || K(j*1 mod 8) 


The system is then iterated four times, each iteration consisting of 
counter update (Section 2.5) and next-state function (Section 2.6). 
After that, the counter variables are reinitialized to 


for j=0 to 7: 
Cj = Cj ^ X(3+4 mod 8) 


2.4. IV Setup Scheme 
If an IV is used for encryption, the counter variables are modified 
after the key setup.  Denoting the IV bits by IV[63..0], the setup 


proceeds as follows: 


CO = CO ^ IV[31..0] C1 = C1 ^ (IV[63..48] || IV[31..16]) 
CH=. C2 a Xvr63:.32] Q3 gg € (IV [474 S32] (LI AVES eT) 
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C4 = C4 ^ IV[31..0] C5 = C5 ^ (IV[63..48] || IV[31..161) 
C6 = C6 * IV[63..32] GU = CT An ATT A EE 
The system is then iterated another 4 times, each iteration 
consisting of counter update (Section 2.5) and next-state function 


(Section 2.6). 


The relationship between key and IV setup is as follows: 


- After the key setup, the resulting inner state is saved as a master 
state. Then the IV setup is run to obtain the first encryption 
starting state. 


- Whenever re-initialization under a new IV is necessary, the IV 
setup is run on the master state again to derive the next 
encryption starting state. 


2.5. Counter System 
Before each execution of the next-state function (Section 2.6), the 


counter system has to be updated. This system uses constants 
Al,...,A7, as follows: 


AO = 0x4D34D34D Al = 0xD34D34D3 
A2 = 0x34D34D34 A3 = 0x4D34D34D 
A4 = 0xD34D34D3 A5 = 0x34D34D34 
AG = 0x4D34D34D A7 = 0xD34D34D3 


It also uses the counter carry bit b to update the counter system, as 
follows: 


for j=0 to 7: 
temp = Cj + Aj +b 
b temp div WORDSIZE 
Cj temp mod WORDSIZE 


Note that on exiting this loop, the variable b has to be preserved 
for the next iteration of the system. 


2.6. Next-State Function 
The core of the Rabbit algorithm is the next-state function. It is 
based on the function g, which transforms two 32-bit inputs into one 
32-bit output, as follows: 


g(u,v) = LSW(square(utv)) ^ MSW(square (u+v)) 


where square(utv) = ((u+v mod WORDSIZE) * (u+v mod WORDSIZE)). 
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Using this function, the algorithm updates the inner state as 
follows: 


for j=0 to 7: 
Gj = g(Xj,Cj) 


XO = GO + (G7 <<< 16) + (G6 <<< 16) mod WORDSIZE 
x1 = Gl + (GO <<< 8) + G7 mod WORDSIZE 
X2 = G2 + (Gl <<< 16) + (GO <<< 16) mod WORDSIZE 
X3 = G3 + (G2 <<< 8) + Gl mod WORDSIZE 
X4 = GA + (G3 <<< 16) + (G2 <<< 16) mod WORDSIZE 
X5. = G5 + (GA <<< 8) + G3 mod WORDSIZE 
X6 = G6 + (G5 <<< 16) + (G4 <<< 16) mod WORDSIZE 
X7 = G7 + (G6 <<< 8) + G5 mod WORDSIZE 
2.7. Extraction Scheme 


After the key and IV setup are concluded, the algorithm is iterated 
in order to produce one 128-bit output block, S, per round. Each 
round consists of executing steps 2.5 and 2.6 and then extracting an 
output S[127..0] as follows: 


S 155.09] = X0[15..0] ^ X5[31..16] 
Si 3T. 216] = X0[31..16] ^ X3[15..0] 
S[47..32] = X2[15..0] ^ X7[31..16] 
S[63..48] = X2[31..16] * X5[15..0] 
S[79..64] = X4[15..0] ^ X1[31..16] 
S[95..80] = X4[31..16] ^ X7[15..0] 
s[111..96] = X6[15..0] ^ X3[31..16] 


S[I27;.112]1 e OS TG NA XL S20] 
2.8. Encryption/Decryption Scheme 


Given a 128-bit message block, M, encryption E and decryption M’ are 
computed via 


E = M?S and 
M^ =E ^S. 


If S is the same in both operations (as it should be if the same key 
and IV are used), then M = M’. 


The encryption/decryption scheme is repeated until all blocks in the 
message have been encrypted/decrypted. If the message size is not a 
multiple of 128 bits, only the needed amount of least significant 
bits from the last output block S is used for the last message block 
M. 
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If the application requires the encryption of smaller blocks (or even 
individual bits), a 128-bit buffer is used. The buffer is 
initialized by generating a new value, S, and copying it into the 
buffer. After that, all data blocks are encrypted using the least 
significant bits in this buffer. Whenever the buffer is empty, a new 
value S is generated and copied into the buffer. 


3. Security Considerations 


For an encryption algorithm, the security provided is, of course, the 
most important issue. No security weaknesses have been found to 
date, neither by the designers nor by independent cryptographers 
scrutinizing the algorithms after its publication in [1]. Note that 
a full discussion of Rabbit’s security against known cryptanalytic 
techniques is provided in [3]. 


In the following, we restrict ourselves to some rules on how to use 
the Rabbit algorithm properly. 


3.1. Message Length 


Rabbit was designed to encrypt up to 2 to the power of 64 128-bit 
message blocks under the same the key. Should this amount of data 
ever be exceeded, the key has to be replaced. It is recommended to 
follow this rule even when the IV is changed on a regular basis. 


3.2. Initialization Vector 


It is possible to run Rabbit without the IV setup. However, in this 
case, the generator must never be reset under the same key, since 
this would destroy its security (for a recent example, see [4]). 
However, in order to guarantee synchronization between sender and 
receiver, ciphers are frequently reset in practice. This means that 
both sender and receiver set the inner state of the cipher back toa 
known value and then derive the new encryption state using an IV. If 
this is done, it is important to make sure that no IV is ever reused 
under the same key. 
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Rabbit Encryption 


This is a set of test vectors for conformance testing, 
they have to be transformed into integers 
as described in [5]. 


form. 


For use with Rabbit, 
by the conversion primitives OS2IP and I2OSP, 


A.1. Testing without IV Setup 
key [00 00 00 00 00 00 00 00 00 00 00 
S[0] = [B1 57 54 FO 36 A5 D6 EC F5 6B 45 
S[1] = [88 E8 D8 15 C5 9C OC 39 7B 69 6C 
S[2] = [F4 16 Al C3 70 OC D4 51 DA 68 DI 
key = [91 28 13 29 2E 3D 36 FE 3B FC 62 
S[O] = [3D 2D F3 C8 3E F6 27 Al E9 7F C3 
S[1] = [F5 76 CD 61 F4 40 5B 88 96 BF 53 
S[2] = [E5 54 74 73 FB DB 43 50 8A E5 3B 
key = [83 95 74 15 87 EO C7 33 E9 EQ AB 
S[O] = [OC BI 0D CD AO 41 CD AC 32 EB 5C 
S[1] = [95 FC 9F CA OF 17 01 5A 7B 70 92 
S[2] = [96 49 E5 DE 8B FC 7F 3F 92 41 47 
A.2 Testing with IV Setup 
mkey = [00 00 00 00 00 00 00 00 00 00 00 
iv = [00 00 00 00 00 00 00 00] 
S[O] = [C6 A7 27 5E F8 54 95 D8 7C CD 5D 
S[1] = [5F 29 A6 AC 04 F5 EF D4 7B 8F 29 
S[2] = [2A DE 82 2B 29 DE 6C 1E E5 2B DB 
iv = [C3 73 F5 75 Cl 26 7E 59] 
s[0] = [1F CD 4E B9 58 00 12 E2 EO DC CC 
S[1] = [A7 5F 4E 10 D1 21 25 01 7B 24 99 
s[2] = [EB C1 12 C3 93 E7 38 39 23 56 BD 
iv = [A6 EB 56 1A D2 F4 17 27] 
S[O] = [44 5A D8 C8 05 85 8D BF 70 B6 AF 
S[1] = [96 C8 F2 79 47 F4 2C 5B AE AE 67 
S[2] = [9F CB FC 89 5F A7 1C 17 31 3D FO 
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00 
1C 
89 
16 


DC 
87 
85 
20 


CO 
02 
4C 
3A 


00 


67 
70 
47] 


22 
ED 
12 


Al 
AC 
FO 


00 
4A 
C6 
73 


51 
E2 
54 
4D 


9B 
DO 
FF 
94 


00 


05 
DC 
BF 


01 
93 
02 


51 
c3 
15 


00 
F7 
8A 
D6 


c3 
51 
FC 
4C 


00 
60 
3E 
74 


00 


B7 
4A 
8F 


7D 
6F 
9B 


10 
5B 
21 


May 2006 


given in octet 


00] 
02] 
A7] 
96] 


AC] 
9C] 
19] 
DEI 


43] 
9B] 
AD] 
28] 


00] 


ED] 
8D] 
66] 


6D] 
2E] 
A7] 


4D] 
03] 
CB] 
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The following set of vectors describes the inner state of Rabbit 
during key and iv setup. It is meant mainly for debugging purposes. 
Octet strings are written according to I20SP conventions. 


B.1. Testing Round Function and Key Setup 


key = [91 28 13 29 2E ED 36 FE 3B FC 62 F1 DC 51 C3 AC] 


Inner state after key expansion: 

b = 0 

X0 = OxDC51C3AC, X1 = 0x13292E3D, X2 = Ox3BFC62F1, 
X4 = 0x2E3D36FE, X5 0x62F1DC51, X6 0x91281329, 
CO = Ox36FE2E3D, Cl = OxDC5162F1, C2 = 0x13299128, 
C4 = OxC3ACDC51, C5 0x2E3D1329, C6 0x62F13BFC, 


Inner state after first key setup iteration: 

b =1 

X0 = OxF2E8C8B1, X1 = 0x38E06FA7, X2 = 0x9A0D72C0, 
X4 = OxCACDCCC3, X5 = 0x4B239CBE, X6 = Ox0565DCCC, 
CO = 0x8433018A, Cl = OxAF9E97C4, C2 = 0x47FCDE5D, 
C4 = 0x96FA1124, C5 = 0x6310605E, C6 = OxBO260F49, 


Inner state after fourth key setup iteration: 

b =0 

X0 = Ox1D059312, X1 OxBDDC3E45, X2 = 0xF440927D, 
X4 = 0x36709423, X5 = Ox0B6F0711, X6 = Ox3ADA3A7B, 
CO = 0x6BD17B74, Cl 0x2986363E, C2 OxE676C5FC, 
C4 = Ox10ElAF9E, C5 = Ox018A47FD, C6 = 0x97C48931, 


Inner state after final key setup xor: 

b = 0 

X0 = Ox1D059312, X1 OxBDDC3E45, X2 = 0xF440927D, 
X4 0x36709423, X5 = OxOB6F0711, X6 = Ox3ADA3A7B, 
CO Ox5DALEF57, Cl 0x22E9312F, C2 OxDCACFF87, 
C4 = OxXODE43C8C, C5 = OxBC5679B8, C6 = Ox63841B4C, 


Inner state after generation of 48 bytes of output: 
b. = 1 

X0 = 0xB5428566, X1 = 0xA2593617, X2 = OxFF5578DE, 
X4 = 0x145CE109, X5 = 0xC93875B0, X6 = 0xD34306E0, 
co 0x45406940, C1 Ox9CDOCFA9, C2 0x7B26E725, 
C4 = Ox87CBDBO6, C5 = 0x5AD06156, C6 = Ox4B229534, 
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x3 
X7 
ES 
C7 


x3 
X7 
c3 
C7 


x3 
X7 
C3 
C7 


X3 
X7 
c3 
C7 


X3 
X7 
c3 
e 


0xC3AC9128, 
Ox36FE3BFC, 
Ox3BFC36FE, 
0x9128C3AC 


0xF21F5334, 
0xB1587C8D, 
0x89310A4B, 
0x6475F87F 


Ox50CBB553, 
OxEB9800C8, 
0x70CF8432, 
OxDESD96F9 


0x50CBB553, 
OxEB9800C8, 
0x9B5784FA, 
0x8E9623AA 


0x7293950F, 
Ox43FEEF87, 
0x82F5FEE2, 
0x087DC224 
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The 48 output bytes: 

S[0] = [3D 2D F3 C8 3E F6 27 Al E9 7F C3 84 87 E2 51 9C] 
S[1] [Fb 76 CD 61 FA 40 5B 88 96 BF 53 AA 85 54 FC 19] 
S[2] [E5 54 74 73 FB DB 43 50 8A E5 3B 20 20 4D 4C 5E] 


B.2. Testing the IV Setup 


key = [91 28 13 29 2E ED 36 FE 3B FC 62 F1 DC 51 C3 AC] 
iv = [C3 73 F5 75 Cl 26 7E 59] 


Inner state during key setup: 
as above 


Inner state after IV expansion: 
b 20 
XO = Ox1D059312, X1 


OxBDDC3E45, X2 0xF440927D, X3 = 0x50CBB553, 
X4 0x36709423, X5 OxOB6F0711, X6 Ox3ADA3A7B, X7 OxEB9800C8, 
CO 0x9C87910E, C1 OxE19AF009, C2 Ox1FDFOAF2, C3 Ox6E22FAA3, 


C4 = 0xCCC242D5, C5 = 0x7F25B89E, C6 = OxXAOF7EE39, C7 = Ox7BE35DF3 


Inner state after first IV setup iteration: 

b =1 

XO = OxC4FF831A, X1 = OxEF5CD094, X2 = 0xC5933855, X3 = OxCOSA5CO3, 
X4 = 0x4A50522F, X5 = OxDF487BE4, X6 = OxA45FA013, X7 0x05531179, 
CO = OxE9BC645B, C1 OxB4E824DC, C2 0x54B25827, C3 OxBB57CDFO, 
C4 = OxA00F77A8, C5 = OxB3F905D3, C6 = OxEE2CC186, C7 = 0x4F3092C6 


Inner state after fourth IV setup iteration: 

b =1 

X0 = 0x6274E424, X1 = 0xE14CE120, X2 = 0xDA8739D9, X3 = 0x65E0402D, 
X4 0xD1281D10, X5 OxBD435BAA, X6 = 0x4E9E7A02, X7 0x9B467ABD, 
co OxD15ADE44, Cl Ox2ECFC356, C2 OxF32C3FC6, C3 OxA2F647D7, 
C4 = 0x19F71622, C5 = Ox5272ED72, C6 = OxD5CB3B6E, C7 = 0xC9183140 
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